Example #1
0
// newControllerUserFromGroup returns a permission.UserAccess that serves
// as a stand-in for a user that has group access but no explicit user
// access.
func newControllerUserFromGroup(everyoneAccess permission.UserAccess,
	userTag names.UserTag) permission.UserAccess {
	everyoneAccess.UserTag = userTag
	everyoneAccess.UserID = strings.ToLower(userTag.Canonical())
	everyoneAccess.UserName = userTag.Canonical()
	return everyoneAccess
}
Example #2
0
// maybeUseGroupPermission returns a permission.UserAccess updated
// with the group permissions that apply to it if higher than
// current.
// If the passed UserAccess is empty (controller user lacks permissions)
// but the group is not, a stand-in will be created to hold the group
// permissions.
func maybeUseGroupPermission(
	userGetter userAccessFunc,
	externalUser permission.UserAccess,
	controllerTag names.ControllerTag,
	userTag names.UserTag,
) (permission.UserAccess, error) {

	everyoneTag := names.NewUserTag(EveryoneTagName)
	everyone, err := userGetter(everyoneTag, controllerTag)
	if errors.IsNotFound(err) {
		return externalUser, nil
	}
	if err != nil {
		return permission.UserAccess{}, errors.Trace(err)
	}
	if permission.IsEmptyUserAccess(externalUser) &&
		!permission.IsEmptyUserAccess(everyone) {
		externalUser = newControllerUserFromGroup(everyone, userTag)
	}

	if everyone.Access.EqualOrGreaterControllerAccessThan(externalUser.Access) {
		externalUser.Access = everyone.Access
	}
	return externalUser, nil
}